What Health Apps Tell Outsiders About You

Hundreds of health applications these days can track our weight, steps, caloric intake, blood pressure – and even our friends’ workouts at the gym. And those diagnosed with an ailment can go online to get answers to health questions or share their stories with others suffering from the same illness.

Sure, this can be useful for consumers seeking to take control of their health. These new outlets, however, raise other questions: Who else is looking at our medical information? And how are they using it?

This was the discussion at a Federal Trade Commission (FTC) seminar this week on privacy ramifications when consumers disclose health information about themselves that can be mined by others. Most consumers, privacy experts said, are unaware this can happen.

Under federal law – the Health Insurance Portability and Accountability Act, or HIPAA – health care plans and providers must keep your medical information confidential. Yet websites or apps don’t have this obligation.

Privacy experts say much of the information collected doesn’t include names, addresses or any other obvious identifying factors. Still, it’s not that difficult for data miners to connect the dots and uncover identities.

Latanya Sweeney, the FTC’s chief technologist, says almost all states have collected discharge information from hospitals since the 1990s. Though names aren’t disclosed, other details such as diagnoses, treatments and payments are included. Thirty-three states sell or share this health data, she says.

In a study last year, Sweeney purchased discharge information from the state of Washington for $50, then compared it with 81 news reports of people being injured and hospitalized. In 43 percent of the cases, she was able to match the person with the medical data.

Apps also have privacy risks. The Privacy Rights Clearinghouse last year surveyed 43 health and fitness apps, concluding that many shared customer data – often unencrypted – with outside parties without the consumers’ knowledge. Paid apps offer more privacy protections than free apps do, though the group says consumers should not assume their data is confidential.

Privacy experts say it’s unclear how these outside parties are using this information.

PatientsLikeMe, a website for people who want to anonymously share their medical stories with one another, states on its site that it will share information with research institutions as well as pharmaceutical and medical-device companies. Names and addresses aren’t disclosed, but shared data includes age, gender, symptoms, treatment and genetic information.

“People are willing to share this data” to help others or to compare their health experiences, said Sally Okun, a vice president with the website.

For those who desire privacy, how can they protect it?

The first step is to become aware that the information you give to apps and websites is likely to be shared. And knowing this, people can decide whether the health assistance they get from an app or website is worth their giving up some personal information.

“Individuals have control of their own data,” Sweeney said. “What they can do with it is up to them.”